https://developer.android.com/guide/topics/security/permissions.html

Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.

Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform, and per-URI permissions for granting ad hoc access to specific pieces of data.

安全架构

Android安全架构的一条中心设计原则是在默认条件下，应用没有对其他应用、系统或用户可能有不利影响的权限。如果要使用这些权限，该应用必须申请权限，用户允许后才可使用。

应用签名

All APKs (.apk files) must be signed with a certificate whose private key is held by their developer. This certificate identifies the author of the application.

User IDs and File Access

At install time, Android gives each package a distinct Linux user ID. The identity remains constant for the duration of the package's life on that device. On a different device, the same package may have a different UID; what matters is that each package has a distinct UID on a given device.

Any data stored by an application will be assigned that application's user ID, and not normally accessible to other packages. When creating a new file with [getSharedPreferences(String, int)](https://developer.android.com/reference/android/content/Context.html#getSharedPreferences(java.lang.String, int)), [openFileOutput(String, int)](https://developer.android.com/reference/android/content/Context.html#openFileOutput(java.lang.String, int)), or [openOrCreateDatabase(String, int, SQLiteDatabase.CursorFactory)](https://developer.android.com/reference/android/content/Context.html#openOrCreateDatabase(java.lang.String, int, android.database.sqlite.SQLiteDatabase.CursorFactory)), you can use the MODE_WORLD_READABLE and/or MODE_WORLD_WRITEABLE flags to allow any other package to read/write the file.

使用权限

To make use of protected features of the device, you must include one or more <uses-permission> tags in your app manifest.

Normal and Dangerous Permissions

权限分为 normal permissions 和 dangerous permissions（还有一种特殊的权限：special permissions，包括SYSTEM_ALERT_WINDOW和WRITE_SETTINGS，一般使用不到）。normal permissions （Normal permissions cover areas where your app needs to access data or resources outside the app's sandbox, but where there's very little risk to the user's privacy or the operation of other apps. ）不需要在 AndroidMenifest.xml 文件中申明，系统默认给你这些权限。dangerous permissions （Dangerous permissions cover areas where the app wants data or resources that involve the user's private information, or could potentially affect the user's stored data or the operation of other apps.）需要在AndroidMenifest.xml文件中申明，根据API的不同可以分成两种情况：

• If the device is running Android 6.0 (API level 23) or higher, and the app's targetSdkVersion
  is 23 or higher, the app requests permissions from the user at run-time. The user can revoke the permissions at any time, so the app needs to check whether it has the permissions every time it runs.
• If the device is running Android 5.1 (API level 22) or lower, or the app's targetSdkVersion
  is 22 or lower, the system asks the user to grant the permissions when the user installs the app. If you add a new permission to an updated version of the app, the system asks the user to grant that permission when the user updates the app. Once the user installs the app, the only way they can revoke the permission is by uninstalling the app.

Permission Groups

All dangerous Android system permissions belong to permission groups. If the device is running Android 6.0 (API level 23) and the app's targetSdkVersion
is 23 or higher, the following system behavior applies when your app requests a dangerous permission:

• If an app requests a dangerous permission listed in its manifest, and the app does not currently have any permissions in the permission group, the system shows a dialog box to the user describing the permission group that the app wants access to. The dialog box does not describe the specific permission within that group.
• If an app requests a dangerous permission listed in its manifest, and the app already has another dangerous permission in the same permission group, the system immediately grants the permission without any interaction with the user.

一共有9组权限组，分别是CALENDAR, CAMERA, CONTACTS, LOCATION, MICROPHONE, PHONE, SENSORS, SMS, STORAGE. **

Defining and Enforcing Permissions

To enforce your own permissions, you must first declare them in your AndroidManifest.xml using one or more <permission> elements.

Custom permission recommendations

Apps can define their own custom permissions and request custom permissions from other apps by defining <uses-permission>
elements.

Enforcing Permissions in AndroidManifest.xml

主要讲Activity、Service、BroadcastReceiver、ContentProvider的权限使用时机。其中ContentProvider有一种比较特殊的权限URI Permissions.